ipsec_filtermode.diff - pfSense - pfSense bugtracker

      * Specify the driver prefix to match (from the left)
      * https://redmine.pfsense.org/issues/8685
      */
     global $filter_interface_blacklist;
     $filter_interface_blacklist = array("ipsec");
     global $filter_interface_remove;
     $filter_interface_remove = array();
     if ($config['ipsec']['filtermode'] == 'if_ipsec') {
     	$filter_interface_remove[] = 'enc';
     } else {
     	$filter_interface_remove[] = 'ipsec';
+    }
     /*
      * Fixed tracker values (used to group and track usage in GUI):
-...
+    }
     function filter_get_interface_list() {
     	global $filter_interface_blacklist;
     	global $filter_interface_remove;
     	$iflist = create_interface_list();
     	$filter_ifs = array();
     	foreach ($iflist as $ifent => $ifname) {
     		$realifname = get_real_interface($ifent);
     		foreach ($filter_interface_blacklist as $ifbl) {
     			if (substr($realifname, 0, strlen($ifbl)) == $ifbl) {
     		foreach ($filter_interface_remove as $ifr) {
     			if (substr($realifname, 0, strlen($ifr)) == $ifr) {
     				continue 2;
+    			}
+    		}

     	"net.inet.udp.checksum" => 1,
     	"net.inet.icmp.reply_from_interface" => 1,
     	"net.inet6.ip6.rfc6204w3" => 1,
     	"net.enc.out.ipsec_bpf_mask" => "0x0001",
     	"net.enc.out.ipsec_filter_mask" => "0x0001",
     	"net.enc.in.ipsec_bpf_mask" => "0x0002",
     	"net.enc.in.ipsec_filter_mask" => "0x0002",
     	"net.key.preferred_oldsa" => "0",
     	"net.inet.carp.senderr_demotion_factor" => 0, /* Do not demote CARP for interface send errors */
     	"net.pfsync.carp_demotion_factor" => 0, /* Do not demote CARP for pfsync errors */
-...
     		'hmac-sha384' => 'HMAC-SHA384',
     		'hmac-sha512' => 'HMAC-SHA512 (most secure)');
     global $ipsec_filtermodes;
     $ipsec_filtermodes = array(
     	'enc' => 'Filter IPsec Tunnel and VTI on IPsec tab (enc0)',
     	'if_ipsec' => 'Filter IPsec VTI on assigned interfaces, block all tunnel mode traffic'
     );
     global $ipsec_filter_sysctl;
     $ipsec_filter_sysctl = array(
     	'enc' => array(
     		"net.inet.ipsec.filtertunnel"   => "0x0000",
     		"net.inet6.ipsec6.filtertunnel" => "0x0000",
     		"net.enc.out.ipsec_bpf_mask"    => "0x0001",
     		"net.enc.out.ipsec_filter_mask" => "0x0001",
     		"net.enc.in.ipsec_bpf_mask"     => "0x0002",
     		"net.enc.in.ipsec_filter_mask"  => "0x0002"
     	),
     	'if_ipsec' => array(
     		"net.inet.ipsec.filtertunnel"   => "0x0001",
     		"net.inet6.ipsec6.filtertunnel" => "0x0001",
     		"net.enc.out.ipsec_bpf_mask"    => "0x0000",
     		"net.enc.out.ipsec_filter_mask" => "0x0000",
     		"net.enc.in.ipsec_bpf_mask"     => "0x0000",
     		"net.enc.in.ipsec_filter_mask"  => "0x0000"
     	),
     );
     ?>

+    }
     function activate_sysctls() {
     	global $config, $g, $sysctls;
     	global $config, $g, $sysctls, $ipsec_filter_sysctl;
     	if (!is_array($sysctls)) {
     		$sysctls = array();
+    	}
     	$ipsec_filtermode = empty($config['ipsec']['filtermode']) ? 'enc' : $config['ipsec']['filtermode'];
     	$sysctls = array_merge($sysctls, $ipsec_filter_sysctl[$ipsec_filtermode]);
     	if (is_array($config['sysctl']) && is_array($config['sysctl']['item'])) {
     		foreach ($config['sysctl']['item'] as $tunable) {

     require_once("ipsec.inc");
     require_once("vpn.inc");
     global $ipsec_filtermodes;
     $pconfig['logging'] = ipsec_get_loglevels();
     $pconfig['unityplugin'] = isset($config['ipsec']['unityplugin']);
     $pconfig['strictcrlpolicy'] = isset($config['ipsec']['strictcrlpolicy']);
-...
     $pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']);
     $pconfig['maxmss'] = $config['system']['maxmss'];
     $pconfig['uniqueids'] = $config['ipsec']['uniqueids'];
     $pconfig['filtermode'] = $config['ipsec']['filtermode'];
     $pconfig['ipsecbypass'] = isset($config['ipsec']['ipsecbypass']);
     $pconfig['bypassrules'] = $config['ipsec']['bypassrules'];
     $pconfig['port'] = $config['ipsec']['port'];
-...
     			unset($config['ipsec']['uniqueids']);
+    		}
     		if (!empty($_POST['filtermode'])) {
     			$config['ipsec']['filtermode'] = $_POST['filtermode'];
     		} else if (isset($config['ipsec']['filtermode'])) {
     			unset($config['ipsec']['filtermode']);
+    		}
     		if ($_POST['maxmss_enable'] == "yes") {
     			$config['system']['maxmss_enable'] = true;
     			$config['system']['maxmss'] = $_POST['maxmss'];
-...
     		$retval |= filter_configure();
     		ipsec_configure($needsrestart);
     		system_setup_sysctl();
     		clear_subsystem_dirty('sysctl');
+    	}
     	// The logic value sent by $_POST for autoexcludelanaddress is opposite to
-...
     	'<b>', '</b>'
     );
     $section->addInput(new Form_Select(
     	'filtermode',
     	'IPsec Filter Mode',
     	$pconfig['filtermode'],
     	$ipsec_filtermodes
     ))->setHelp(
     	'Experimental. Controls how the firewall will filter IPsec traffic. By default, rules on ' .
     	'the IPsec tab filter all IPsec traffic, including both tunnel mode and VTI mode. %3$s' .
     	'This is limited in that it does not allow for filtering on assigned VTI interfaces, and it does not ' .
     	'support features such as NAT rules and reply-to for return routing. ' .
     	'When set to filter on assigned VTI interfaces, %1$sall tunnel mode traffic is blocked%2$s. ' .
     	'Do not set this option unless %1$sall%2$s IPsec tunnels are using VTI.',
     	'<b>', '</b>', '<br />'
     );
     $section->addInput(new Form_Checkbox(
     	'compression',
     	'IP Compression',

Project

General

Profile

pfSense

Bug #8686 » ipsec_filtermode.diff